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(54) Method and apparatus for autokey rotor encryption 



(57) A method an apparatus for block or stream en- 
crypting text uses an autokeyed rotational state vector 
to encrypt plain text to yield cipher text. The text is stored 
as a block in a buffer of an arbitrary number of bytes. 
Each byte of plain text in the buffer encrypted to yield a 
byte of cipher text by using a rotational state vector and 
the rotational state vector is updated or changed as a 



function of one or more of: the cipher text, the plain text 
and a key. The encryption operation is advantageously 
a series of alternating non-linear and linear transforma- 
tions. The method of encryption is advantageously in- 
volutory in that the encryption method and apparatus for 
a given key is identical to the decryption method and 
apparatus with the same key. 
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Description 
Technical Fieid 

5 The invention relates to the field of cryptography. 

Background 

Cryptographic (or cipher) systems and techniques are designed to render communications unintelligible to all 

to except an intended recipient. Until recently the use of cryptographic systems and techniques has been largely confined 
to governments primarily for military and diplomatic applications. However, the use of communications networks (e.g. 
cellular systems, computer networks, cable television systems) by the private sector as a means of transferring, storing 
and processing information relating to electronic mail, to transactions involving the exchange of goods, services and 
financial credits/payments, etc., has given rise to a need to protect the information in these communication networks 

15 from unauthorized disclosure or modification. 

This need has, in turn, led to the deployment of cryptographic systems and techniques by the private sector in 
such communications networks. For example, cellular communication networks may employ cryptographic systems 
to ensure privacy of communications as disclosed in U.S. Patent No. 5, 1 59,634 issued October 27, 1 992 and assigned 
to assignee of this invention. Other communication networks, as for example networks linking automatic teller ma- 

20 chines, use the well-known Data Encryption Standard (DES) to encrypt information. See, National Bureau of Standards, 
"Data Encryption Standard" Fed Inf. Process. Stand Publ. 46, Jan. 1977. Cryptographic systems are advantageously 
implemented, for example, in special purpose chips, on general-purpose personal computers, or on dedicated micro- 
processors imbedded in consumer electronics products. Cryptographic techniques may be executed by program code 
in a variety of programming languages such as C. FORTRAN, etc. 

25 The information to be encrypted is known as "plain text." Plain text comprises symbols selected from an alphabet. 

An alphabet is a set of symbols arranged in a fixed order, as for example the modern English alphabet where the 
symbols are letters arranged {A, B, . . . 2}. Another example of an alphabet is the alphabet of 4 binary symbols arranged 
{00, 01, 10 t 11}. The plain text is transformed by a function characterized by a parameter called a "key" into "cipher 
text." The encryption transformation is sometimes referred to as a cipher. 

30 One very old cipher is the Caesar cipher, a monoalphabetic substitution cipher attributed to Julius Caesar. In the 

Caesar cipher for a given alphabet, each symbol in the plain text is shifted by specified amount to generate a corre- 
sponding symbol in the cipher text. For example, for an alphabet comprising the symbols A to 2, if the plain text is 
"DOG" and the symbol shift or key is specified as three, the cipher text is "GRJ M because the symbols G, R and J are 
three places to the right of D, O and G ; respectively. In this case, the function for transforming the plain text to cipher 

35 text is a one-to-one mapping. A monoalphabetic substitution cipher preserves the frequency distribution of the plain 
text symbols in the cipher text. Thus, such a cipher is readily decrypted or broken by taking advantage of the statistical 
properties of natural languages and by noting the relative frequencies of symbols and combinations of symbols in the 
cipher text, as for example by tentatively assigning the plain text symbols "E" and "T" to the most common cipher text 
symbols since "E u and T" are the most frequently occurring letters in the English language. 

40 one method for making a cipher more difficult to break is to smooth out the frequencies of symbols in the cipher 

text so render the statistical properties of a language less useful in breaking the cipher. This may be accomplished by 
using multiple cipher alphabets, to be used in rotation, thereby creating a polyalphabetic cipher See e.g. D. Denning, 
Cryptography and Data Security, Addison -Wesley Pub. Co., Reading, Massachusetts, 1982. Rotor or wired codewheel 
machines, such as the Enigma machine used by the Germans in World War II, implement polyalphabetic substitution 

45 ciphers. A rotor machine consists of a bank of rotors. The perimeter of each rotor has a set of electrical contacts {e.g. 
a contact for each letter A to 2) on both its front and rear faces. Each contact on the front face is wired to a contact on 
the rear face to implement a one-to-one mapping of a plain text letter to a cipher text letter. Each rotor can rotate into 
26 positions, and the rotors are rotated according to a type of motion (as for example an odometer type of motion) 
after each plain text letter is encrypted. 

50 To encrypt a message in a rotor machine, a single plain text letter or symbol enters the bank of rotors at one end, 

travels through the rotors in succession, and emerges as a cipher text symbol or letter at the other end. The key for 
such rotor machines will typically specify which particular rotors will comprise the bank of rotors, the order of the rotors 
in the bank of rotors, the starting point of the rotors, etc. The key may also specify parameters of the rotor motion. For 
example in the case of odometer-type rotor motion, the key may specify the point (e.g. at the symbol "Q") at which one 

55 rotor in a bank of rotors causes another rotor in the bank to advance. The cipher is difficult to break because, typically, 
the state of the rotor mechanism {i.e. the wiring of the one-to-one mapping in each rotor, the starting position of the 
rotors relative to each other and the motion of the rotors relative to each other after encrypting) is unknown. 

Rotor machine encryption systems, however, have several shortcomings. First, the speed of encryption is limited 
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by the speed and reliability of the rotor mechanism. Second, if the rotor motion is the same after each plain text letter 
or symbol is encrypted (as may be necessary due to mechanical constraints), the cipher becomes easier to break. 
Although these two problems may be addressed by implementing encryption systems in software, still other problems 
remain. In particular, while rotor machines are capable of providing a high degree of security (the German Enigma 
s ciphers were, with immense labor, broken by the Allies in World War II, but some of the rotor ciphers used by Allies 
seem to remain unbroken today), it is often difficult during the design process to predict how'difficult the cipher will be 
to break. 

Another technique for encrypting information uses autokey ciphers. As the name suggests, an autokey cipher is 
one in which parameters used in the encryption process, e.g. the key, are automatically changed or updated based 

io on, for example, the plain text and/or the cipher text. A simple example of an autokey cipher is one where an initial key 
"BLUE" is used to encipher the plain text "FLY AT ONCE. M The four letters of the key are aligned with the first four 
letters of the plain text, i.e. "B" with "F\ "L" with V. "U M with "Y" and "E" with "A". Each pair of aligned letters is "added" 
(modulo 26) in the sense that "B M is the first letter of the alphabet (assuming "A" is the zeroeth letter) and "F" is the 
fifth letter, and since 1 +5 is 6, the plain text "F" is enciphered as the sixth letter, "G". Similarly, V is the eleventh letter 

'5 of the alphabet: 11+11 is 22. and thus the plain text V in the message is enciphered as n W", the 22nd letter of the 
alphabet. Continuing this procedure for the first four plain text letters, "FLY A" yields the cipher text "GWSE\ To encrypt 
the next four letters of plain text "T ONC, the key is advantageously chosen to be the previously four letters of the 
encrypted text, i.e. "GWSE." Autokey ciphers have the shortcoming that corruption of a single letter in transmission 
affects or causes errors in the rest of the message. Consequently, until the recent availability of techniques (such as 

20 use of error correcting codes) to ensure low probabilities of error in transmission, autokey ciphers have not been 
favored. 

Ciphers may also be generated by combining encryption techniques. For example, in U.S. Patent No. 1 ,502,376. 
issued July 22, 1924 to Damm, a rotor machine cipher system is described in which the usual rotor motion of a bank 
of codewheels is stopped or suspended (i.e. autokeyed) following the encryption of a particular plain text letter. 

The particular system or technique used to encrypt information will often depend on issues such as: the level of 
security required {i.e. how difficult should it be for unintended recipients to decrypt or break the encrypted information), 
the cost and complexity of implementation, the type or format of data to be encrypted, etc. In cases where the information 
is represented as a series of binary digits or bits, the information is advantageously encrypted as a stream, e.g. on a 
byte-by-byte basis where a byte comprises one or more binary digits. In stream ciphers, the encryption of prior bytes 
of plain text may affect the encryption of later bytes (i.e. of those bytes "downstream" from the prior bytes) in that the 
later bytes may be encrypted as a function of the prior bytes of plain text and their corresponding cipher text. In other 
cases the data to be encrypted has a format of either a fixed-length block of information (comprising, for example, a 
specified number of bytes of information) or of blocks whose lengths are restricted to a set of possible lengths. 

An encryption system or technique which encrypts a block of information, where the result of the encryption is 
independent of the encryption of other blocks, is known as a block cipher. In a block cipher the encryption of any one 
bit is a function of one or more other bits in that block but not of bits in other blocks. For example, the DES referred to 
above is a block cipher that encrypts information in 64 bit blocks where the encryption of any one bit in the 64 bit block 
is a function of each of the other 63 bits in the block but is not a function of bits in other blocks. Block ciphers may also 
be used, for example, in protocol applications where, for example, a customer may connect to a network to request 
40 information regarding financial transactions the customer has made or to direct that certain transactions be executed. 
In such a situation, the network may challenge the customer to provide a set responses to a series of prompts from 
the network before responding to the customer's requests and directions. Such responses may include specifying an 
account number, providing identification information, etc. Not all of the responses will need to be encrypted, but some 
particular responses, e.g. identification information, will probably be encrypted for privacy reasons. The identification 
information is advantageously of fixed length (e.g. a social security number and a 4 digit personal identification number), 
and such fixed length information, intended to be transmitted at a known point in the set of responses prompted by the 
protocol, may be encrypted with a block cipher. 

Despite the variety of encryption techniques and implementation options for those techniques, there remains a 
need for an encryption technique and apparatus that is easily implemented at low cost that will provide an adequate 
so level of security for private sector applications. 

Summary 
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In accordance with the present invention it is recognized that instead of defining or fixing relationships between 
alphabets in a polyalphabetic cipher in terms of a specific type of motion, such as an odometer type of motion, that an 
autokeyed rotational state vector may be used to vary the relationship between the alphabets in the cipher during the 
encryption process. The rotational state vector is advantageously implemented as a one dimensional array comprising 
elements having associated values, wherein the values are changed or updated after encryption of a byte of plain text. 
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The changing or updating of the rotational state vector after encryption varies the relationships between alphabets in 
the cipher thereby making the cipher more difficult to break. In particular, in one embodiment of the inventive method 
a stream cipher uses a rotational state to encrypt a plain text byte to generate a cipher text byte. The rotational state 
vector is autokeyed by changing one or more values associated with respective elements in the rotational state vector, 
s the changing being a function of one or more of: the cipher text byte or the plain text byte. In a second embodiment a 
block cipher encrypts, using the rotational state vector, a block of information to yield an encrypted block of information 
wherein the rotational state vector is updated as a function of one or more of: a byte in said block of information, an 
encrypted byte in said block of encrypted information or the key. 

io Brief Description of the Drawings 

FIG. 1 illustrates a system in which the inventive method and apparatus may be used. 
FIG. 2 is a flow chart for encrypting text using the inventive method. 

FIG. 3 is a block diagram of a system for encrypting text using a rotational state vector that is updated. 
is FIG. 4 is a flow chart of steps in the inventive method of updating a rotational state vector using autokeying. 

FIG. 5 is a flow chart of steps for encrypting a byte of plain text. 
FIG. 6 is a flowchart for decrypting text using the inventive method. 
FIG. 7 is a diagram of a system for implementing the inventive method. 

20 Detailed Description 

FIG. 1 illustrates a system in which the inventive method and apparatus may be used. The system of FIG. 1 conveys 
information (e.g. signals representing voice, text, data, video) via broadband signals from central office 120 to neigh- 
borhood 180/Comprising endpoints 140 /m . Each endpoint is, for example, a business establishment or residence which 
25 comprises communication devices [e.g. telephones, televisions, personal computers) which will send and/or receive 
information in the broadband signal. The broadband signal advantageously combines both telephony services (such 
as plain old telephone service provided by telephone switch/processor 1 21 which is connected to a telephone network) 
and other information from service provider 110-/ (such as cable television channels or interactive television services 
as provided, for example, by service provider 110-1) in optical switch 122. The broadband signal is advantageously 
carried via fiber optic cable 125 to fiber node 160 where the broadband signal is then carried on coaxial cable 135; to 
neighborhood 1 80/. Coaxial cable 1 35/and fiber optic cable 1 25 also carry return signals comprising telephony signals, 
interactive services signals, etc., from endpoint 140 /m . 

As the system of FIG. 1 illustrates, central office 120 generates the broadband signal for transmission to neigh- 
borhood 180/. The broadband signal, comprising information required by all endpoints in neighborhood 180,, will be 
35 transmitted on coaxial cable 135/ that is connected to every endpoint in neighborhood 180,. In short, every phone call 
and every cable television channel required by any one endpoint in neighborhood 1801 will be carried on coaxial cable 
135/. Thus, to ensure that a particular endpoint receives only the information intended for that particular endpoint, the 
information is advantageously encrypted at central office 120. Each particular endpoint is provided with its own key 
(as advantageously assigned by central office 1 20) which allows the particular endpoint to decrypt only that information 
40 intended for that particular endpoint. Similarly, return signals from a particular endpoint may advantageously be en- 
crypted using the particular endpoint's assigned key, and, because the central office assigned the keys originally, the 
central office can use the appropriate key to decrypt the return signals. 

The encrypted information sent from central office 120 is advantageously decrypted at endpoint 140 /m in network 
interfacing unit (NIU) 150 /m which then provides decrypted information to appropriate communication devices within 
45 endpoint 1 40/ m {e.g. to telephone 1 S0 lm , television 1 70/ m , personal computer 1 80, m ). Similarly, information from end- 
point 140 /m is encrypted in NIL) 1 50/ m prior to transmission to central office 120. Encryption is thus used: 1) to assure 
privacy in that information transmitted between central office 120 and communication devices in a particular endpoint 
are not accessible to other endpoints, and 2) to ensure that only those endpoints which have paid for services {e.g. 
premium cable television channels) receive those services. Thus, the encryption (and corresponding decryption) tech- 
no nique and apparatus in NIU 150, m must both ensure privacy and prevent theft of services, but such a technique and 
apparatus must be readily and easily implemented so as to be commercially viable in the private sector. 

The inventive encryption technique and apparatus described below is advantageously implemented in NIU 150 /m 
in the system of FIG. 1. The invention combines autokey and rotor encryption techniques. In particular, the method 
may be used as a stream cipher in which one or more values of elements in a rotational state vector, used to encrypt 
55 a plain byte to yield a cipher text byte, are changed as a function of one or more of: the cipher text byte or the plain 
text byte. The rotational state vector is thus a sequence of values, akin to the bank of rotors in the rotor machines 
described above. The method may also be used as a block cipher for encrypting a block of information, the block of 
information comprising a plurality of bytes, by first advantageously initializing the rotational state vector as a function 



30 



4 



EP 0 759 669 A2 



of a key. Next, for each byte in the plurality of bytes, each byte is processed through an alternating cascade of non- 
linear and linear transformations to yield a corresponding encrypted byte in the block of encrypted information, wherein 
the linear transformations are a function of the rotational state vector. The rotational state vector is then updated as a 
function of one or more of: a byte in said block of information, an encrypted byte in said block of encrypted information 
5 or the key. In the context of a block cipher, updating includes causing no change in the value of elements in the rotational 
state vector. 

The techniques and apparatus may be implemented using an 8-bit microprocessor such as an 8085 or 680x, using 
a few hundred bytes of program (e.g. C language code) and permanent data [e.g. data stored in read only memory) 
and a few dozen or so bytes of random access memory. More particularly, the inventive method, as described in an 

10 embodiment below, advantageously assumes that the information to be encrypted (or decrypted) is stored in a buffer 
of length r?8.bit bytes, i.e. the "block" is n bytes long. Those skilled in the art will recognize a "byte" may comprise any 
number of bits, and that 8-bit bytes are advantageously used herein. The information contained in the buffer is subjected 
to a series of transformations. The final contents of the buffer are the encrypted (or decrypted) data. In the discussion 
below, it is assumed that the bytes of information in the buffer are numbered from left to right, {buf[0] t buf[1] .... buf[n~ 

is 1]), where each byte comprises 8 bits. Each 8-bit byte is advantageously regarded as representing a whole number 
in the range from 0 to 255, inclusive, and the 8-bit bytes may also advantageously be used as ASCII code to represent 
letters and symbols. Whenever arithmetic is performed on these bytes, the arithmetic is advantageously modulo 256 
(a. k.a. 8 bit 2's complement) so that the result is another such byte. A key (k) of 1 2 bytes, denoted (k[0] k[1], k[11J), 
is also advantageously assumed. 

20 FIG. 2 illustrates a flow chart of an encryption method using the inventive technique, and Appendix I contains a C 

code listing for implementing the inventive method. The inventive technique, executed in steps 220 and 240 of FIG. 2 
and described in detail below, is advantageously combined with other encryption steps (e.g. steps 210, 230 and 250) 
to make it more difficult for unintended recipients of the encrypted information (produced by steps 210-250) to decrypt 
the information. 

25 In FIG. 2 let a represent a block of information (plain text) to be encrypted. In step 210 the block of plain text is 

input to a buffer of length n and the contents of the buffer are subtracted from a key (k). The result is a block of encrypted 
information b ("block 6"). For convenience, the operation in block 210 may be thought of as b=k-a. The key is a set of 
parameters advantageously stored in 12 bytes as noted above, and the subtraction is a subtractive modulo 256 Vlge- 
nere encryption which uses all 1 2 key bytes in succession, cyclically, until each byte of plain text in the buffer has been 

30 encrypted. The /"'byte in the buffer, buffi], is replaced with k[j]-buffi], where /is equal to /'taken modulo 12. The code 
in Appendix I corresponding to step 210 is delineated by a bracket with "210" written next to the bracket. 

Step 220 takes block b in the buffer and outputs an encrypted block of text c using the inventive technique which 
combines autokey and rotor encryption. For convenience, the operation of step 220 is termed M 1 so that c=M 1 b. The 
code in Appendix I corresponding to step 220 is delineated by a bracket with "220" written next to the bracket. 

^5 FIG. 3 is a block diagram of a system for executing the operation of step 220 in which a single 8-bit plain text byte 

in block b is encrypted to yield text a single encrypted 8-bit cipher text byte in block c and in which a sequence of values 
of elements in the rotational state vector, used in the encryption process, is changed (if the system of is used as a 
stream cipher) or updated (if the system is used as a block cipher) as a function of one or more of: the encrypted 8-bit 
cipher text byte in block c, the 8-bit plain text byte in block b or a key for the cipher. Although the term "rotational state 

•to vector" is used due to similarities of the operation in step 220 and the wired codewheels used by the Germans in World 
War II as described above, it is not necessary to use wired codewheels in implementing the inventive technique and 
apparatus. Instead, one can advantageously use the sequence of values of elements in the rotational state vector to 
represent the current rotational positions of each of the rotors, and use a series of arithmetic operations and table look- 
ups to simulate the effect of passing an electric current through a bank of rotors (i.e. to represent the wiring of the one- 

15 to-one mapping). Each value is advantageously stored as an 8-bit byte and the bytes are stored in a one dimensional 
array or vector in a memory device. The updating (in the case of a block cipher) or the changing (in the case of a stream 
cipher) of the values of elements in the rotational state vector is equivalent to the moving or rotating of the rotors relative 
to each other. 

In FIG. 3 encryption processor 320 encrypts a byte of text in b to generate a byte of cipher text in c using input 
so from translation table 330 and from rotational state vector 310. In encrypting a stream of plain text, values of elements 
in rotational state vector are then changed as a function of one or more of: the plain text byte or the cipher text byte. 
In the context of using the system of FIG. 3 for encrypting a block of information, the block of information comprising 
a plurality of words, the rotational state vector may be updated (which includes the case of making no change to values 
of elements in the rotational state vector) as a function of one or more of: encrypted bytes, plain text bytes or the key 
55 a flowchart in FIG. 4 illustrates the details of step 220 and the operation of the system of FIG. 3. In step 405 a 

rotational state vector is advantageously initialized as a function of the key, e.g. the four rotational state vector com- 
ponents, designated (p[0], p[1], p[2] p[3]) in the code listing in Appendix I, are initialized using the first four words in 
the key. Steps 407, 408 and 409 initialize counting parameters / and /used to ensure that each byte in the buffer of 
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length n is encrypted in its turn. In step 420 the ft byte is advantageously encrypted by subjecting it to an alternating 
series of non-linear and linear transformations using a translation table (explained in detail below) and the rotational 
state vector, respectively. Step 420 is illustrated in greater detail in FIG. 5 which illustrates the alternating cascade of 
transformations. By interleaving the linear operations (e.g. additions and subtractions) with non-linear operations (e. 
5 g. look-ups in translation tables), the effect of the key is amplified - a key value subtracted late in the encryption process 
will not cancel the effect of the same key value added earlier because of the intervening non-linear table look-ups. 
The alternating series of transformations comprises five look-up operations and four arithmetic steps. The alternating 
series of transformations or operations advantageously take the form of: 

io save the value of the ft byte in x 

translate the ft byte according to table R to get a result stored in ft the byte 

subtract the ft byte from the first rotation state vector and save the result in the ft byte 

translate the ft byte according to table R to get a result stored in ft the byte 

subtract the ft byte from the second rotation state vector and save the result in the ft byte 

*5 translate the ft byte according to table R to get a result stored in the ft byte 

subtract the ft byte from the third rotation state vector and save the result in the ft byte 

translate the ft byte according to table R\o get a result stored in the ft byte 

subtract the ft byte from the fourth rotation state vector and save the result in the ft byte. 

20 As indicated in the code listing in Appendix I, a variable yean also be used as temporary storage for the value of buf 
[i]. In step 430 the rotational state vector is updated as a function of one or more off the cipher texts the plain text or 
the key. An example of updating the rotational state vector is given in the code listing in Appendix I. As the example 
in the code indicates, before encrypting the next byte of text b in the buffer, the original value of the byte (as stored 
temporarily in x) just encrypted is added to the first and third rotation state vector components, and the final value of 

25 the byte encrypted is added to the second and fourth rotation state vector components. The f h key byte, k[j] t where 
^=/+4 modulo 1 2, is also added to the second rotation state vector. In steps 440 the counting parameters are updated, 
and step 450 directs that the encryption process continue until all text in the buffer is encrypted. 

Returning to FIG. 2 : in step 230 the bytes in the buffer holding text c are "flipped" to yield text din the buffer. The 
flipping operation exchanges the contents of the first and last bytes, the contents of the second and next-to-last bytes, 

30 and so on. For example, if the buffer contains six 8-bit bytes representing whole numbers between 0 and 255 equivalent 
to the ASCII representation of the text "CARBON", the flipping operation would cause the contents of the buffer to 
produce the six 8-bit bytes corresponding to the ASCII text "NOBRAC". The code in Appendix I corresponding to step 
230 is delineated by a bracket with "230" written next to the bracket. Step 230 thus ensures that the later bytes encrypted 
by step 220 affect the encryption of the bytes encrypted earlier by step 220. 

35 in step 240 another left-to-right autokey rotor encryption operation termed b/P is used to encrypt text d in the buffer 

to yield text e in the buffer, i.e. e=/W 2 dThe encryption advantageously uses translation table Rl (described below) and 
a four byte rotation state vector such that the ^encryption is the "inverse" of the M 1 encryption of step 220. By inverse 
it is meant that if the M 1 encryption of step 220 was applied to the contents of a buffer and if the /l^ encryption of step 
240 (without intervening step 230) immediately followed, then no net change to the buffer contents would occur. Like 

-to step 220 above, step 240 encrypts the contents of buf[i] by subjecting the ft byte to an alternating series of transfor- 
mations or operations using an inverse translation table and the rotational state vector. The alternating series of oper- 
ations in step 240 advantageously take the form of: 

save the value of ft the byte in y 
■*s translate the ft* byte according to table Rl to get a result stored in ft the byte 

subtract the ft byte from the fourth rotation state vector and save the result in the ft byte 

translate the ft* byte according to table Rl to get a result stored in ft the byte 

subtract the ft byte from the third rotation state vector and save the result in the ft byte 

translate the ft byte according to table RIXo get a result stored in the ft byte 
so subtract the ft byte from the second rotation state vector and save the result in the ft byte 

translate the ft byte according to table Rl to get a result stored in the ft byte 

subtract the ft byte from the first rotation state vector and save the result in the ft byte 

The steps of the MP operation may be implemented in a manner similar to the implementation of the M 1 operation of 
55 step 220 as illustrated in FIG. 3, and the code in Appendix I corresponding to step 240 is delineated by a bracket with 
"240" written next to the bracket. 

In step 250, the text e is subtracted from the key to yield the final cipher text, designated k-e. In particular, step 
250 is a subtractive modulo 256 Vlgenere encryption in which all 12 key bytes are used in succession, cyclically, until 
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each byte in the text e has been encrypted. This is essentially the same operation as in step 21 0. The code in Appendix 
I corresponding to step 250 is delineated by a bracket with "250" written next to the bracket. 

Note that as a consequence of attempting to keep the code in Appendix I relatively small, the inventive method is 
involutory, i.e. the encryption operation with a given key is identical to the decryption method with the same key. FIG. 
6 illustrates this principle by illustrating the steps in a method for decrypting information encrypted using the method 
of FIG. 2. In step 610 the cipher text, /c-eas output by step 250. is subtracted from the key" Such an operation, con- 
veniently represented as k-(k-e) yields the text e. The subtraction operation is identical to the subtraction operation of 
step 210. Step 620 takes encrypted text e in the buffer and outputs encrypted text d using the inventive techniques of 
autokey and rotor encryption as performed by M 1 operation of step 220 to yield the text das shown by the expression: 
M 1 e= M 1 M 2 d=d- -recalling that M 1 and A^are inverses of each other and that (from step 240) e=M?/d. Step 630 flips 
the contents of text din the buffer in a manner as described for step 230. The flipped buffer contents are c since step 
630 simply reverses step 230. Step 640 executes the /^operation on the buffer contents to yield buffer contents b, 
as conveniently noted by observing IVPc^M 1 b=b. The M 2 operation is similar to the operation described in step 240. 
Finally, the original plain text a is recovered in step 650 by subtracting b from the key, k~b=k-(k-a)=a, where the sub- 
traction operation is of the kind used in step 250. Thus, the encryption operation of FIG. 2 with a given key is identical 
to the decryption method of FIG. 6 with the same key. 

Recall that the above method utilizes a pair of read-only translation tables Hand Rl, each of size 256 bytes. Table 
Ft advantageously holds a permutation of the 256 byte values, i.e. R is a permutation table. Table Rl advantageously 
holds the inverse of table R. Consider the C code in Appendix I labeled Table R. The contents or entries of Table R 
are two digit hexadecimal (base 16) values as indicated by the "Ox" prefix. The entry instable Rat location rowO. column 
f (i.e. coordinate (0,f), where T in hexadecimal corresponds to 15 in base 10) is 0x04 indicating that coordinate (0.4) 
specifying row 0, column 4 in table Rl contains contents OxOf, i.e. the inverse of the contents in table R. Note that the 
above method may be implemented using a self-inverse permutation table so that Hand Rlare one and the same table. 

FIG. 7 illustrates a system for implementing the above encryption and decryption method in NIU 1 50/ m . The system 
comprises the following elements: microprocessor 715, read only memory (ROM) 725 and random access memory 
(RAM) 735. The elements are connected by address and data busses 745 which provide means for transferring data 
and for sending and receiving control signals among the elements. An optional coaxial interface unit 705 may be used 
in FIG. 7 to render signals on the coax line suitable for use on bus 745. Bus 745 is also advantageously connected to 
communication devices which utilize decrypted information received from central office 120 or which generate infor- 
mation to be encrypted prior to transmission to central office 1 20. RAM 735 advantageously is used to store information 
which is updated or which is dynamic, such as the rotational state vector, the key and the buffer containing text for 
encryption or decryption. ROM 725 advantageously stores unchanging parameters or information, such as the trans- 
lation table and its inverse as well as program code listing the operations to be executed by microprocessor 71 5. Those 
skilled in the art will recognize that other memory devices, e.g. EPROMS, may be used in place of RAM 735 and ROM 
35 725 and that dedicated hardware may be used in place of microprocessor 715. 

This disclosure describes a method and apparatus for encryption. The method and apparatus disclosed herein 
have been described without reference to specific hardware or software. Instead, the method an apparatus have been 
described in such a manner that those skilled in the are can readily adapt such hardware or software as may be 
available or preferable for particular applications. While the above teachings of the present invention have been in 
terms of encrypting 8-bit bytes of information carried between a central office and an endpoint, those skilled in the art 
will recognize the applicability of these teaching to other specific contexts. For example, the above method is readily 
expanded to accommodate encryption of 16-bit or 32-bit words as for example by use of 16-bit or 32-bit microproces- 
sors, respectively. Further, instead of using mod 256 addition and subtraction arithmetic operations, arithmetic opera- 
tions in other groups (e.g. the exclusive or operations which is "addition" in binary n-space) may be used. Further still, 
any binary operation, not necessarily commutative or associative, whose operation table forms a Latin square, may 
be used. The inventive method may be used in systems other than the system shown in FIG. 1 as for example in 
encoding transmissions in wireless systems, etc. Note that in the code in Appendix I, an emphasis was placed on 
speed of execution and on brevity of program size at the expense of higher levels of data security. Although the code 
in Appendix I is regarded as sufficiently secure to applications requiring a moderate degree of security, the code in 
Appendix I can be lengthened to provide additional security, as for example by increasing the number of transformations 
in steps 220 and 240. Similarly, the number of autokey rotor operations (i.e. steps 220 and 240) need not be restricted 
to two. Greater security can be obtained by making three or more passes, possibly interspersed with the flip operation 
of step 230 or with more complicated operations which could also be autokey rotor operations. 
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APPENDIX I 



w 



15 



20 



210 



cipher(uchar bufN, int n, uchar k(12]){ 
unsigned char p[4), x, y; 
int i, j; 



j * 0; 

for(i*0; i<n; i**) { 

buf [ij = k[j] - 

iff(j»-12) j = 0; 

) 



buffi]; 



25 



30 



35 



40 



220 



45 



330 



so 



240 



p[0] » JcfO] 

Pll] = kill 

p[2] = k(2] 

p[3] * kI3] 



j » 4; 

£or(i=0; i<n; i+*,j++){ 
if(j«12) j » 0; 
y » x a buf [i] ; 
y 3 r(y] ; y * p[0] 
y = r[y] ; y » p(l] 
y 3 r(y] ; y » p(2) 
y = r(y] ; y ■ p[3] 
y « r [y] ; 
buf [i] = y; 
ptO] x; 
p[lj ♦« y*ktj]; 
p[2] x; 
p(3] y; 

) 

j = n-1; 

for(i»0; i<j; i*+, j — j ( 
x » buf [i] ; 
buf ti] * buf (jj; 
buf [j] * x; 



- y? 

- y; 

- y; 

- y; 



) 

PtO) 

Pll] 

P(2] 
p(3] 



k[0] 
k(l] 
k[2). 
k[3J 
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for(i=0; i<n; 

if ( j*=12) j = 0; 



y a X a buf [i] 






x = ri[x] ; * = 


Pt3] 


- x; 


x = ri (xl ; x = 


p[2] 


- x; 


x = ri(x] ; x = 


pdl 


- x; 


x = ri(x) ; x = 


p(01 


- x; 


x = ri fx] ; 






bufti] = x; 






ptO] * = x; 






p(l] * s y+kt j 1 






p(2] « x; 






P(3] *= y; 







} 



j = 0; 

for(i=0; i<n; { 

buf[i] = k(j] 

if(j«i2) j * 



buf ti] ; 



} 
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35 



40 



45 



SO 



ss 



uchar r(256] = 
Oxfd, 0x08, 0x51, 
0x7S.0xb7 f Oxbb. 
Oxfl.0x6e.0x34. 
0xe4,0x8f ,0xf3, 
Oxcb. Oxba, Oxaa, 
0x4a, OxaO, 0x2a. 
0x41,0x58,0x43, 
0x49. Oxla, 0xd4, 
0x8a. 0x7e, Oxdc. 
Oxc5 , 0x6a, 0x29 , 
OxcS, 0xb6, Oxaf , 
0x26. OxdO. 0x20, 
Oxae, 0x85, 0x2d. 
0x91. 0x4e, 0x88. 
Ox7d,0x57,0x9d, 
Ox6f.0xbd.0xf 7, 
); 

uchar ri(256] ■ 
Oxbc, 0x6c, 0x8c, 
Ox24,0x4b,0xb9, 
0xb2,0xd8,0x06. 
Oxbf , Oxea. 0x54 . 
0x67,0x60,0x19, 
0x27,0x02,0x68, 
Oxaa, 0x73, 0xd4, 
0xbb.0xd5.0x0e, 
0xb5, Oxlc, OxOc, 
0x33. OxdO ,0xe3, 
0x51, 0x53, Oxbd, 
0xc7, Oxaf .0x87, 
0xlb,0x36,0xff , 
0xbl.0x5c.0x43, 
0x2f ,0xa3,0x29, 
0x5b, 0x20, Oxae, 
); 



t 

OxOb. 
0xd9. 
0x65. 
0x90. 
0xd2, 
Oxal, 
0x84, 
0x61. 
0x3 6, 
0x78, 
Oxel, 
Oxfa. 
0xb9, 
0x3 f. 
0x92, 
0xa3, 



Cx68,0xld. 
0x14,0x3 3. 
0x10, 0x5 f . 
0x97, 0x0 f. 
0x13, OxaS. 
0x32, Oxfa. 
0x98,0x39, 
0x06. 0xd3, 
0x63, 0xb4, 
0x09 , OxeS, 
0x35. 0xc6, 
0x4b.0x60. 
0x93,0x76, 
0x62.0x71, 
0xbe.0x55, 
0x45. 0xa8, 



0x22, 
0x48, 
Oxbc, 
Oxcl, 
0x46, 
0x23. 
Oxd7, 
Oxe5, 
Oxdd, 
Ox6d, 
0x77, 
0x9e, 
0xa9. 
0x9 f, 
0x2 e, 
0x7c, 



0xf4,0xlc, 
0xc7,0x05, 
0x50,0x24. 
Oxbf .Oxeb, 
0x65, 0xc9, 
0xda,0x5b. 
0x40,0x83. 
0xle,0x28, 
0xb2.0x52, 
0x7b,0xd6, 
Oxea, 0x2 f, 
Oxf 5.0x9b, 
0xbO,0x37, 
0x69.0x21, 
0x15, 0x8«, 
Oxae, 0x8b, 



0x74. 0x5d, 
0x42. 0xb8, 
0xe2,0xd5, 
Ox3e, Oxe6, 
0x9c, Oxf 6, 
Oxf f, 0x5*. 
0xc4, 0xe9, 
0x38 r 0x«3, 
0x17,0x53, 
0x4 f , Oxcd, 
0x03,0x60, 
0x12,0x07. 
0x8c, 0x6c, 
0xc3,0x0e, 
Oxa7,0x31. 
0x16,0x25, 



0x64,0x82, 
OxcO, 0x81, 
0x86,0x27, 
0x0d.0x7f, 
Oxll, 0x9a, 
0xf0,0xdl, 
0x89, 0x01, 
0x54, Oxb3, 
Oxcf , 0x02, 
0x6b, Oxcc, 
0xa6,0xf2, 
0x70, 0x00, 
0x7a, Oxf 9, 
0x8d,0x79, 
0x3b, Oxea, 
0x18,0x73, 



0x5 6, 
Oxac, 
Oxlb, 
0x2c. 
Oxed, 
0x47, 
0x59, 
0x99, 
0xe7, 
0x87, 
Oxdb, 
0xa2, 
Oxac, 
OxOa, 
Oxdf , 
Oxab, 



0x72,0x04, 
0x95 , 0x3a, 
0x3d, OxeO, 
Oxce, 0x94, 
0xb5,0xa4, 
0x5a, Oxf 8, 
0xde,0x0c, 
0x3 c, OxdS, 
Oxf b, 0x44, 
Oxl f ,0x4c, 
0x96, Oxbl, 
0x19,0x30. 
OxSc. Oxad, 
Oxf c, Oxaf , 
0x4d,0x67, 
0x2b,0xc2, 



( 

0xa9, 0x0 f 
0x44,0x14 
0x56.0x28 
0x15.0x22 
0x62. 0x8f 
0x8a. 0x7b 
0x84, OxOb 
Oxf c. 0x09 
0x68,0x63 
0xe4,0x3f 
Oxf 3, 0x4 f 
0x7c, 0x85 
0xd9,0x69 
0x75,0x72 
0x7 a, 0x30 
0x32,0x07 



,0x18, 
,0xa7. 
, Oxfa, 
,0xa4, 
,0xf4, 
. OxaS , 
,0x23. 
,0x10, 
,Oxcl. 
, Oxla, 
,0x45, 
,0x4a, 
,0x90, 
,0x2a, 
,0x76, 
,0xb7, 



0x74, Oxba, 
Oxf 9, 0x89, 
0xb0,0x2c, 
0x83, 0xc8, 
0x46. OxSd, 
0x0 d, Oxel, 
0x47. Oxaf , 
0xc5,0xa6, 
0x2b,0x9d, 
Oxaa, 0x34, 
0xab,0xa9, 
Oxal, Oxll, 
OxaS, 0x17, 
0x98,0x66, 
0x3 a, 0x8 d, 
0x4a.0x£2. 



0x01 

Oxfb 

0x78 

0x79 

0x16, 

0x61 

0x04 

0x93, 

Oxd2 

0x64, 

Oxf 5, 

Oxla 

OxaO 

0x7 f, 

0x95, 

0x5 f. 



0x94, Oxdd, 
Oxba, 0x71. 
0x92,0x52, 
0x65. Oxlf. 
0x70.0x50, 
Ox6d,Ox5«. 
0xd7,0x91, 
Oxdc, Oxcb, 
Ox6b.0x80, 
0x7d,0x4c, 
0xc6,0x42, 
Oxc3,0x41, 
0x48, Oxac, 
0x13,0x57, 
0x6a,0xa7, 
0xcc.0xb3, 



0x03, 0x6 f , 
0x2d,0x08, 
0xfa,0x3d, 
Oxab, 0x7a, 
0xb4,0x9f, 
0x58, Oxea, 
0x9 b. Oxea, 
0x97, Oxf 6, 
0xf8,0xc9. 
Oxba ,0x49, 
Oxf d, Oxcd, 
0x12,0x26, 
0x40,0x9c, 
Oxad, 0x82, 
0x38, Oxld. 
Ox8e, Oxda, 



0x3b, 
0x05, 
0xc2, 
0x2a, 
Oxea, 
OxOa, 
0x96, 
OxaO, 
Oxdb, 
0xa2, 
Oxcf. 
Oxfl. 
0x9 a, 
0x86, 
0x4d. 
0x00, 



Oxda, 0x35, 
0x77, 0x9e, 
OxeS, 0xa8, 
0x39. 0xd3. 
0xdl,0x99, 
0x5a,0x25, 
0x21, Oxf 0. 
0x81,0x3c. 
0xa8,0x31, 
0xb6,0xd6, 
OxcO , 0xa2 , 
0xe4,0x37, 
0x3a,0x8b, 
0x6a, Oxad, 
0xf7,0xdf , 
0x55.0x59, 
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1. A method comprising the step of: 

updating values associated with respective elements in a rotational state vector by changing one or more of 
said values, said rotational state vector having been used to encrypt, based on a key, a plain text byte to generate 
a cipher text byte, the updating being a function of one or more of: said cipher text byte or said plain text byte. 

2. The method of claim, 1 wherein said cipher text byte is generated by the step of: 

processing said plain text byte through an alternating cascade of none-linear and linear transformations 
wherein said linear transformations are functions of said rotational state vector. 

3. A method comprising the steps of: 

a) encrypting, based on a key and on values associated with respective elements in a rotational state vector 
a plain text byte of information to yield a cipher text byte of information, and 

b) changing one or more of said values based on one or more of: said plain text byte or said cipher text byte. 

4. The method of claim 3 wherein the step of encrypting comprises the step of: 

processing said plain text byte through an alternating cascade of non-linear and linear transformations where- 
in said linear transformations are functions of said rotational state vector. 

5. A method comprising the steps of: 

a) encrypting, using a block cipher, a block of plain text to yield a block of cipher text, wherein said block cipher 
encrypts said block of plain text using a rotational state vector and a key, and 

b) updating values associated with respective elements in said rotational state vector as a function of one or 
more of: a byte in said block of plain text, a byte in said block cipher text or said key 

6. The method of claim 5 wherein the step of encrypting comprises the step of: 

processing bytes in said block of plain text through an alternating cascade of non-linear and linear transfor- 
mations wherein said linear transformations are functions of said rotational state vector. 

7. The method of any of the preceding claims wherein said values associated with respective elements in said rota- 
tional state vector are initialized as a function of said key. 

8. A method of encrypting a block of information, said block of information comprising a plurality of bytes, to yield a 
final block of encrypted information comprising a plurality of final encrypted bytes, said method comprising the 
steps of: 

a) for each byte in said plurality of bytes, processing said each byte through an alternating cascade of non- 
linear and linear transformations to yield a corresponding intermediate encrypted byte in an intermediate block 
of encrypted information, wherein said linear transformations are functions of a rotational state vector, and 
then updating said rotational state vector as a function of one or more of: a byte in said block of information, 
a intermediate encrypted byte in said intermediate block of encrypted information or a key, and 

b) for each intermediate encrypted byte in said intermediate block of encrypted information, processing said 
each intermediate encrypted byte to yield a corresponding final byte in a final block of encrypted information, 
wherein the processing of said each intermediate encrypted byte is a function of at least one other byte in said 
plurality of bytes. 

9. The method of claim 8 further comprising the step of initializing said rotational state vector. 

10. A method of encrypting a first block of bytes comprising the steps: 

a) for each byte in said first block of bytes, cyclically subtracting said each byte from a successive byte in a 
key to yield a byte in a second block of bytes, 

b) for each byte in said second block of bytes, processing said each byte through an alternating cascade of 
non-linear and linear transformations to yield a byte in a third block of bytes, wherein said linear transformations 
are functions of a rotational state vector, and then updating said rotational state vector as a function of one or 
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mote of: a set of bytes in said third block, a set of bytes in said second block or said key, 

c) reversing the order of the bytes in said third block of bytes to yield a fourth block of bytes, 

d) for each byte in said fourth block of bytes, processing said each byte through an alternating cascade of 
non-linear and linear transformations to yield a byte in a fifth block of bytes, wherein said linear transformations 
are functions of a rotational state vector, and then updating said rotational state vector as a function of one or 
more of: a set of bytes in said fifth block, a set of bytes in said fourth block or said key, 

e) for each byte in said fifth block of bytes, cyclically subtracting said each byte from a successive byte in a 
key byte to yield a byte in a sixth block of bytes. 

11. The method of claim 9 or claim 10 whereins said rotational state vector is initialized as a function of said key 

12. The method of any of the preceding claims wherein said non-iinear transformations are look-up operations in a 
permutation table. 



13. A system comprising: 



a) means for encrypting, based on a key and on values associated with respective elements in a rotational 
state vector a plain text byte of information to yield a cipher text byte of information, and 

b) means for changing one or more of said values based on one or more of: said plain text byte or said cipher 
text byte. 

14. The system of claim 13 wherein the means for encrypting comprises: 

means for processing said plain text byte through an alternating cascade of non-linear and linear transfor- 
mations wherein said linear transformations are functions of said rotational state vector 

15. The system of claim 1 3 or claim 1 4 further comprising means for in itializing said values associated with respective 
elements in said rotational state vector as a function of said key 

16. A system comprising: 

a) means for encrypting, using a block cipher a block of plain text to yield a block of cipher text, wherein said 
block cipher encrypts said block of plain text using a rotational state vector and a key, and 

b) means for updating values associated with respective elements in said rotational state vector as a function 
of one or more of: a byte in said block of plain text, a byte in said block cipher text or said key. 

17. The system of claim 16 wherein the means for encrypting comprises: 

means for processing bytes in said block of plain text through an alternating cascade of non-linear and linear 
transformations wherein said linear transformations are functions of said rotational state vector. 

18. The system of any of claims 13 to 17 wherein the means for processing comprises a permutation table. 
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